Cloud Security Architect

Job Description

<p><b>Position Name - Cloud Security Architect</b></p><p><b>Type of hiring - Fulltime/ Contract</b></p><p><b>Location - Markham, ON (Hybrid - 3 days' work from office)</b></p><p><br></p><p><br></p><p>Top Capability skills required</p><ul><li>AWS Architect</li><li>AWS Security SME</li><li>IT security background</li></ul><p><br></p><p><br></p><p><b>Job Description:</b></p><p><br></p><p>The <b>Senior AWS Cloud Security Architect</b> is responsible for designing, implementing, and governing secure, compliant, and resilient AWS environments across multi-account cloud infrastructures. </p><p>You will lead the architecture and automation of identity, data protection, threat detection, and network segmentation controls across the AWS ecosystem. </p><p><br></p><p><b>Key Responsibilities: </b></p><ul><li>Design and implement secure landing zones using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs). </li><li>Define multi-account security guardrails for shared services, workloads, and sandbox environments. </li><li>Create reference architectures covering security zones, network segmentation, and cross-account communication (PrivateLink, AWS WAN). </li><li>Lead threat modelling and risk assessments for new workloads and services (Lambda, ECS, EC2, S3, RDS, DynamoDB, etc.). </li><li>Develop security-by-design templates integrated into Infrastructure as Code (IaC) pipelines. </li><li>Partner with compliance teams to maintain continuous alignment with CIS Benchmarks and organizational risk frameworks. </li><li>Implement federated access and single sign-on with AWS IAM Identity Center (AWS SSO), Okta, and Azure AD. </li><li>Manage cross-account roles, STS trust policies, and temporary credentials for developers and third parties. </li><li>Automate secret and credential rotation with AWS Secrets Manager and AWS Systems Manager Parameter Store. </li><li>Enforce encryption at rest using AWS KMS, CloudHSM, and envelope encryption patterns. </li><li>Ensure encryption in transit (TLS 1.2/1.3) across internal and public endpoints. </li><li>Manage key rotation, cross-region replication, and HSM-based root of trust. </li><li>Implement S3 Object Lock, Macie for data discovery and classification, and Access Points for fine-grained data access. </li><li>Implement PrivateLink, AWS WAN, and Route 53 Resolver endpoints for service-to-service isolation. </li><li>Configure Web Application Firewall (WAF) and AWS Shield Advanced for DDoS mitigation. </li><li>Enforce egress control through Cloud NAT, AWS Gateway Load Balancer (GWLB), or custom proxies. </li><li>Deploy and integrate AWS Security Hub, GuardDuty, Macie, and Inspector for proactive threat detection. </li><li>Configure Amazon Detective for forensic investigation and anomaly correlation. </li><li>Integrate findings into SIEM/SOAR platforms such as FortiSOAR, or Azure Sentinel. </li><li>Automate response playbooks with AWS Step Functions, Lambda, and SNS alerts. </li><li>Implement AWS Config rules and Conformance Packs to enforce compliance (e.g., CIS AWS Foundations Benchmark). </li><li>Use AWS Artifact for vendor assurance and control documentation. </li><li>Manage compliance dashboards via Security Hub, Trusted Advisor, and Control Tower drift detection. </li></ul><p><br></p><p><b>Core AWS Security & Supporting Services </b></p><ul><li>Identity & Access Management: IAM, IAM Identity Center (SSO), AWS Organizations, Access Analyzer, Cognito, Resource Access Manager (RAM), Directory Service.</li><li>Encryption & Key Management: KMS, CloudHSM, Secrets Manager, SSM Parameter Store, Certificate Manager (ACM), Private CA.</li><li>Network & Perimeter Security: Network Firewall, WAF, Shield (Standard & Advanced), PrivateLink, AWS WAN, Route 53 Resolver, Network Load Balancer, Application Load Balancer.</li><li>Threat Detection & Monitoring: GuardDuty, Detective, Security Hub, Inspector, Macie, CloudTrail, Config, CloudWatch, CloudWatch Logs, CloudWatch Metrics.</li><li>Compliance & Governance: Audit Manager, Artifact, Control Tower, Trusted Advisor, Config Conformance Packs, Service Catalog, Organizations SCPs. </li><li>Data Protection: S3 Object Lock, Macie, Lake Formation, DLP integrations, S3 Access Points. </li><li>Vulnerability & Posture Management: Inspector (EC2, ECR, Lambda), Trusted Advisor, Config, Security Hub. </li><li>Application & Container Security: ECR image scanning, ECS task IAM roles, Lambda least privilege, Secrets Manager, API Gateway authorization. </li><li>Incident Response & Automation: Step Functions, Lambda, Systems Manager Automation, SNS, CloudWatch Alarms, EventBridge Rules.</li></ul><p><br></p><p><b>Required Skills and Experience </b></p><ul><li>8+ Years in cybersecurity, with 4+ Years in AWS cloud security architecture. </li><li>Deep understanding of AWS Well-Architected Framework (Security Pillar). </li></ul><p><br></p><p><b>Preferred Certifications </b></p><ul><li>AWS Certified Security - Specialty </li><li>AWS Certified Solutions Architect - Professional </li><li>CISSP / CISM / CCSP / GCSA / GIAC Cloud Security Automation</li></ul><p></p>